We are leaving behind data footprints wherever we are going. We interact with lots of individuals, organisations, companies, and most importantly, we use the internet, where we live behind personal data trails. Do you know, according to the current data protection law, you have the right of requesting personal information under GDPR? If you are giving personal data, you also have the right to access personal data.

You can ask companies, organisations and even social media platforms whether they are storing any kind of personal data on you. This blog is all about familiarising you with GDPR principles and how you can be requesting your personal data under GDPR.

What is GDPR?

It is essential to understand GDPR before you go requesting your personal data under GDPR. Firstly, GDPR stands for General Data Protection Regulation. It is a new law and legal guideline to collect and process personal data from people who are part of the European Union (EU). 

The GDPR is the strictest privacy and data protection law in the world. Though it is formed and passed by the European Union(EU), it also applies to organisations in other parts of the world that have connections with EU citizens. So no matter from which country the company or site is operating from, if they are to process personal data of European citizens, they have to abide by GDPR law.

Personal data are information that can help identify a person. If not protected well, people can be a victim of unwanted crimes. The data that can give the identification of a person can simply be their name and numbers. It also includes residential address, IP address, cookie identifier, or other factors that directly relate to an individual. Therefore, if a company is processing personal information that can make a person directly identifiable, they must follow the rules of GDPR.

The GDPR will impose strict penalties against anyone who violates the data privacy and security standards. The fine and penalties increases in magnitude depending on the violation and its impact and can reach up to tens of millions of euros. From May 25, 2018, the GDPR is in action.

Hence, the GDPR stands guard to protect the personal data of EU citizens and maintains a strong ground for data privacy. It is very important in a time when people are providing and entrusting data in cloud services, and data breaches can occur at any time.

What are the Principles of GDPR?

The GDPR establishes seven fundamental principles for the lawful processing of personal data. The principles are at the heart of the GDPR; they serve as the regulation’s core tenets and guide compliant processing. The collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure, or destruction of personal data falls under processing. 

Therefore, companies must abide by the following principles:

1. Lawfulness, Fairness and Transparency

Companies must process data lawfully, fairly and maintain transparency while obtaining it.

2. Purpose Limitation

The data should be used only for the purpose it was taken for and not beyond that. The company cannot further process data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if the data was not taken for that purpose.

3. Data Minimisation

When collecting personal data, organisations must collect adequate, relevant and limited information that is strictly related to the reason for which the data is taken.

4. Accuracy

The stored data must be correct and up to date. Therefore, they must do everything to store the right data. They must also erase or rectify the data as soon as possible if there is any incorrect data.

5. Storage Limitation

They must be kept in a form that allows data subjects to be identified for no longer than is compulsory for the reasons for which the personal data are processed. 

6. Integrity and Confidentiality (Security)

Data should be processed in a way that preserves adequate security of personal data. This involves safeguarding against unauthorised or unlawful processing, as well as accidental loss, destruction, or damage by implementing suitable technical and organisational safeguards.

7. Accountability

Controllers of personal data are accountable for adhering to the regulations and regulation letter.  It is also the responsibility of the data controllers to ensure that their processing is consistent.

What are The Rights of an Individual Under GDPR?

Even though the GDPR rules are strictly imposed on data controllers or businesses, their main concern is maintaining the privacy of the data subject. The GDPR’s rules, restrictions, and requirements are designed to safeguard data subjects (or users) and preserve their rights. Early in the legislation, the GDPR expresses its commitment to European citizens and data subjects.

Chapter 3 of the GDPR guide give an account of individual rights on their data. The Rights of the Data Subjects are:

1. The Right to Information
2. The Right of Access
3. The Right to Rectification
4. The Right to Erasure
5. The Right to Restriction of Processing
6. The Right to Data Portability
7. The Right to Object
8. The Right to Avoid Automated Decision-Making

What is the Right to Access?

The second Right of the data subject is that they have the right to access your data from anyone who has them. Therefore, you have the right to requesting your personal data. As a result, you can request a copy of personal data that is in possession of a data controller or a business. Also, you can ask to see any information that concerns you. The request you make to see your personal data is called Subject Access Request or Access Request. 

What can you Expect from Your Subject Request Access?

There are some aspects of the Right to access your personal data that an organisation may hold on you. Firstly, they have to confirm if they are processing any of your data. If that is the case, here is the information that they must provide you are:

1. The purposes of processing the data.
2. The categories of personal data that are concerned in the process.
3. List of people, groups or other organisations where they are sharing the data. Particularly, notify you if they are disclosing data to any third countries or international organisations.
4. If possible, give you the exact timespan they will keep your data in their possession. Or at least the process they use to determine the time they will keep your data.
5. They will also provide you with the option on the right to request to rectify or erase your data. Also, you can ask to restrict the processing of your personal data.
6. The right to complain to a supervisory authority.
7. In case the personal data is not directly collected from you, the organisation has to provide the source of information.

Additional Information in The Right To Access

Here is how requesting personal information under GDPR law works in an organisation.

If the personal data is sent to a third country or international organisation, you have the right to be informed. The organisation will also notify you about the data processing method and the safeguarding procedures relevant to the transfer. The transferring process falls under Article 46 of the GDPR official guidelines.

Moreover, the controller must provide you with a copy of the data that are going through any kind of process. If you request further details or copies of your personal data, the data controller may charge you a small fee according to the administrative cost. 

Furthermore, if you make your access request through any electronic means, you will get the information’s through electric means unless you have requested it in some other way. Lastly, the right to obtain a copy of your personal data processing must not adversely affect someone else’s rights and freedoms.

Requesting Personal Information Under GDPR

There is no one way or strict method out there for requesting personal information under GDPR. Therefore, you can make your subject access request verbally or in written form. The Data Protection Commissioner (DPC), however, prefers written access requests. Here is a template.

Dear X,

I would like to make an access request under Article 15 of the General Data Protection Regulation (GDPR) for a copy of the information you have about me, on a computer or in manual form in relation to …

Here are the important steps you can follow for requesting personal information under GDPR for any organisation like a police station according to ICO:

Step:1

• Find out where to send your request.
• Think about what personal information you want to access.

Step: 2 

• Make your request directly to the organisation.
• State clearly what you want.

You might not need all the categories of personal information that an organisation is holding on you. Specifying what information you are exactly looking for will help to access the data as fast as possible.

When you are requesting personal information under GDPR, include the information mentioned below:

1. Your name and contact.
2. Any details that the organisation can use to distinguish you from another person with the same name like an ID or account number.
3. Any details or relevant dates that will help specify what information you are looking for.

Step: 3 

• Keep a copy of your request.
• Keep any proof of postage or delivery.

Important Note: 

Your Access Request might be denied in some circumstances. Under Schedule 2, Part 2, Paragraph 14 of the Data Protection Act 2018 states that: 

“The listed GDPR provisions do not apply to personal data processed by (a) an individual acting in a judicial capacity or (b) a court or tribunal acting in its judicial capacity.”

Conclusion

To conclude, requesting personal information under GDPR is your right as a European Union citizen. You can do it for all the organisations that are likely to have your personal data. But you have to provide valid identification and a reason to do so. If you have any questions and confusion, you can join our GDPR course and gain full expertise on this matter.